Posted
by
timothy
on Thursday October 14, 2010 @05:07PM
from the sir-your-analogy-is-unbuttoned dept.

Jack Spine writes "The US and allied countries should formulate a doctrine to apply the principles of nuclear deterrence to cyber attacks and cyber espionage, according to former US Homeland Security secretary Michael Chertoff. No matter that it's very difficult to attribute the source of cyber attacks — just take punitive action against the platform being used to attack, says Chertoff."

Chertoff was the head of DHS who hired Stasi officers - like Markus Wolf - to design plans fro a mandatory ID programme, like that used to control freedom of movement in the former East Germany.

"Chertoff is credited with authoring the Patriot Act, the 300-plus page blueprint for the modern National Security State; patterned to great extent on the successes of the KGB in the Soviet system. He's admired among his Bush cadres for making sure that government surveillance operates at maximum efficiency. Under his stewardship at the Dept of Justice, the 4th amendment has withered like summer grass. The long-held belief that citizens, have a right to a "reasonable expectation of privacy" has buckled under the demands of

"Big Brother" and the new "intrusive" security paradigm."

And: "Chertoff's record of failure at Justice is second only to that of Ashcroft. His 4 year tenure hasn't produced even one identifiable success. (Check out his "obstruction of justice" in the John Walker Lindh case on Democracy Now)

Instead, his personal ineptitude and his palpable contempt for the law have only showered more disgrace on the institution of American justice. That probably explains why he's being moved up the bureaucratic dog-pile to the top rung of Homeland Security. In Bush-world "failing upwards" is more commonplace than cowboy boots at a Crawford tent-show."

Before this? He was an Assistant Attorney General - who enabled Chiquita to escape prosecution for hiring private, right-wing death squads - to suppress fair-trade practices from emerging in the banana plantations of Colombia.

"Chiquita, [company officials told Chertoff], would have to pull out of the country if it could not continue to pay the violent right-wing group to secure its Colombian banana plantations. Chertoff...affirmed that the payments were illegal but said to wait for more feedback, according to five sources familiar with the meeting...Sources close to Chiquita say that Chertoff never did get back to the company or its lawyers. Neither did Larry D. Thompson, the deputy attorney general, whom Chiquita officials sought out after Chertoff left his job for a federal judgeship in June 2003. And Chiquita kept making payments for nearly another year."

"May be?" Saying the morality of this "may be flawed" is like saying my pet unicorn "may be flawed". There is no morality in it, period. It's completely immoral, plain and simple. The Stasi are evil, and so is Chertov. But it is logical to hire a man without morals to head an immoral agency that should never have existed in the first place.

It was, for the US. It was the US outspending the USSR in military buildup that led to their destabilization and collapse. Mission accomplished. Sad thing is that is what the current world situation is doing to the US now.

There is no way it was successfull for the US, it was a stupid and unnecessary pissing match from day one. An embarassment for the country. I am still against having a standing army. We have no need to have forces outside of our borders. Its a shameful waste.

The worst part about a standing army is that it creates two functional classes of citizens that do not share the same fundamental need.

Those that have signed their right of refusal over to the government should not be permitted to vote or participate in political events or debates until the right of self-determination is legally returned to them.

During their period of service they must be treated as exactly what they signed up to be - fleshbots for whoever comes to power during their tour.

"Pissing match" is the least of it. Go watch the documentary "Trinity and Beyond: the atomic bomb movie". It was a bunch of power mad and power drunk farktards gambling with our lives and, arguably, the entire planet.

We were paying for it just fine until Reagan came along and convinced the voting populace that taxation is theft and that defect spending is the wave of the future. Reagan's tax cuts (which have hung around much longer than the Red threat) are what sent this country spiraling into debt we haven't recovered from, not the cold war.

If taxes are a kind of theft from an individual, then driving on a public road, using a public library, riding on a commercial airline, and calling the police are all kinds of theft from the government or community.

Good luck with that telethon, I don't think you'll be getting any money.

Commercial airlines come in because the government hugely subsidizes the commercial airline industry in the US, running everything from air traffic control to airport security at little to no cost to the airlines involved because having cheap, functional air transportation in this country is in the best interest of US businesses.

Your opposion to 'all of it' until everything is run the way you want is incredibly childish and is the

Well thats how I feel about a war on the citizenry. Honestly, I don't consider this my country so much as the country I was born inside of, and which is run by an entirely different economic class. I openly state my preference for breaking up the union, and see little real benefit to the common people in keeping it together any longer. Its pretty outdated and no longer needed.

That is until you realize that the total economic collapse we are currently in the first stages of was started at the end of that war. Oh, and the fact that we "won" the war by simply becoming just like them. Hell, these days the DHS and the NSA could teach the NKVD a few things about the finer points of establishing a police state.

Nah, someone will just root some of the US militarise own shitty, poorly patched windows NT boxes and use them as a platform for attack.

The US military will then MAD it's own network into the ground to show them who's boss.

Or even better.

If I want to take down some website, I don't have to do the hard work any more.Just find any insecure app or server in the same server farm and use it to launch some trivial attack against the US government.The US government then does my attack for me, DDoSing or blackholeing the entire datacentre and my target.

I've heard enough silly ideas over the years for systems of actively attacking machines which attack a network, sometimes in an automated fashion.Most automated ones are trivially subverted to use against third parties and the non-automated ones depend on the people in charge being able to find their arse with both hands... unfortunately it's the military.

If I want to take down some government, I don't have to do the hard work any more.
Just find any insecure organisation in the same country and use it to launch some trivial attack against the US government.
The US government then does my attack for me, bombing the entire country and my target.

So long as they don't respond to a DDoS with one of their own, but with a targeted attack designed to silence the particular nodes in question, then it's probably a good thing. It's not like it's not possible to keep logs to see if these guys are operating outside their mandate.

There's no such thing as a completely secured system, and that's where the flaw in this plan lies. If the policy is to attack the last link, a third party can use you as an attack dog against anyone they want -- they might not even need to actually exploit the "target" if they can spoof the attack to make it look like the target is the last link.

You're right. An eye for an eye, a tooth for a tooth, and soon you need seeing-eye dogs and dentures.

With two million botted machines in the US alone (a conservative estimate), you could piss off a lot of homies, too. I don't think Chartoff realizes just how many pawns there are, ready to march, and give him a bad day. That we don't consider those pawns as attackers-in-waiting is a fool's blindness.

For once, this is a proposal from the security theater industry that isn't batshit insane. You DDOS us, we null-route the offending nodes, or we politely ask whoever supplies your country with connectivity to do it on our behalf. You DDOS an airline reservation system, stranding millions, and we null-route your country until its uncooperative ISPs learn to play nice. You DDOS an air traffic control system so hard that you actually start killing people, and we not only null-route the country until the dust settles, but we also reserve the right to shut down the offending data center with a LART, presumably in the form of an earth-penetrating mallet. (And we expect that you will do the same to us, if our roles are reversed.)

The present situation is that we run around like chickens with our heads cut off, make vague fearmongering sounds about "what if", and apply for increased funding. That'll happen too, but at least this way there'll be some ground rules as to what sort of retaliation is permissible. Go ahead and spy on us (if we catch you, we'll block you). Try to poke at us (but don't do much damage) and we'll get annoyed. Break our toys, and we'll break your toys. Do collateral damage, and the gloves come off.

The problem is collateral damage. What is more likely the nation of Elbonia is attacking the United States by DOSing an airport reservation system? or a competing airline hired some crackers to harm the competition, and those crackers have rooted some machines at the national ISP of Elbonia, that they do it with?

So we respond by routing the entire nation via 127.0.0.1, which is great in that it solves the problem but it probably denies all sorts of services to innocent people, and I am not talking about Mohamed's Netflix subscription, what about that X-Ray the surgeons there wanted a consult on, and the nations telephone system which is IP based at least for international calls. Oh and hey the assembly plant GM is trying to operate there, etc etc. All this is going to do is make small problems big ones.

Perhaps. The operating theory here, I think, is that at some point, a government will stop doing such idiotic things as cyber warfare because the costs are too high. Just like the threat of economic sanctions.

Part of the problem, however, is that for all the "control" we might have over the internet, it's a global network that by design can't just be turned off like that. Personally, I think that good old fashioned, "Oh, you shutdown our air traffic control system? Here, we'll shut down your airspace by

Part of the problem, however, is that for all the "control" we might have over the internet, it's a global network that by design can't just be turned off like that. Personally, I think that good old fashioned, "Oh, you shutdown our air traffic control system? Here, we'll shut down your airspace by destroying anything that gets more than five feet off the ground." is more effective. Excessive? You bet. That's the whole bloody point of MAD. Cyberwarfare cannot be part of a MAD policy unless you are prepared

The operating theory here, I think, is that at some point, a government will stop doing such idiotic things as cyber warfare because the costs are too high.

Did I miss something? AFAIK the costs of nuclear MAD are in the "somewhat high" category, yet no-one has yet gone "you know what, we'll get rid of them all because it just isn't worth it - it'll all go wrong, no-one wins and it is an expense we just can't manage".

If you meant the financial cost of daily ops and overheads, who said it even needed to be of

In other terms all I need to do to block all data traffic between the United States and any country I wish is to have a botnet in that country and have it DDOS a high-profile US site? Yeah, that sounds awesome.

Unless of course all ISPs in that country will submit to whatever the American government says based on the promise that American ISPs will cater to every whim of every foreign government. Well, every whim that involves shutting down arbitrary network nodes.

For once, this is a proposal from the security theater industry that isn't batshit insane. You DDOS us, we null-route the offending nodes, or we politely ask whoever supplies your country with connectivity to do it on our behalf.....

Dr Julius No here: I'm about to set up a botnet. Once I'm done I'll send a command to all the zombies in US to DDoS and I'll shut down my command center. Good luck, America, in null-routing in your own network and/or sending LART-s on your own soil (crazy laugh).

This is all incredibly stupid. First off, we should never have a "cyber cold war" because we shouldn't put our fucking important infrastructure on the internet! If it could harm human lives if it goes down and there isn't a non-networked backup that can be used at a millisecond's notice, it shouldn't be on the internet.

If you've spent 2.3 billion to construct another power plant and you are too lazy to actually staff it, something tells me an extra $150,000 to run dedicated lines from it to your main of

If we can lay a direct telephone line between Washington DC and Moscow to prevent a nuclear war, something tells me we can afford to lay some cable 10 miles to prevent some "cyber cold war"

The/. "air gap" theory is crap. I don't think you appreciate the complexity of the problem. Critical systems aren't just SCADA systems. What about financial transactions? Should we have a separate banker's internet that contains all redundant equipment? How about DoD unclassified? For that matter, what about systems that are secured, but utilize existing routers, lines, etc because it would cost millions to build an entirely separate transcontinental backbone just to keep the infrastructure separate

For larger banks, financial transactions absolutely DO use dedicated lines.

But not for all transactions. Also not true for many stock brokers, traders, etc.

air traffic control etc should be directly controlled by a human on-site.

ATC consists of a nationwide network of radar sites that share data across the network. Controllers are responsible for a large region [wikipedia.org], and flights have to be handed off from one region to another. It used to be that all of this was done via proprietary radio and terrestial links, but the FAA found out it was much cheaper to use existing internet connectivity.

There's absolutely no need whatsoever to have public infrastructure connected to the internet short, of saving a small amount of money on maintenance.

Given the D- and F grades our government usually gets for security its more likely the platform used to attack will have a.gov or.mil extension; and hey the terrorists might figure gee if we look to rooting those boxes we might get some collateral damage from friendly fire.

Seriously I thought this whole retaliatory stuff got dropped by the computer security professions years ago once they realized that to be effective the systems would mostly need to be automatic because whatever you do is time critical,

Well, we certainly considered taking action against the specific airliners being used by the attackers. If a certain IP is being used by an attacker, why not null-route it where possible, or DoS it where not possible? It sounds like an easier decision than shooting down a hijacked passenger plane.

One would hope that there are some checks and balances in the process to reduce the chances of abuse by authorities, of course.

"Cyber" is the vague sort of word that Government Management uses in an attempt to sound technologically astute. As soon as you hear a phrase such as "cyber war", you know you are dealing with a management automaton paddling beyond its depth.

It's interesting to note that this term is a back-formation made from "cybernetics":"From Greek kubernts, governor, from kubernn, to govern."

Makes it sound as though this is another war that being invented by the government to spend the people's money to take the people's freedom away.

Terrorism is only scary to people who shouldn't have been let past the third grade. Even irrational people understand their risk of death by terrorism is pretty much nil, compared to say their risk of horrible death involving decapitation and other hilarious ends while driving.

"Cybersecurity", though?

Computers are strange, wondrous magic boxes for the vast majority of the population. Even for the supposed tech whiz 'next generation'. Oh, sure, kids these days understand Twitter. They sure as hell don't understand TCP/IP. What better platform, then, to force Americans to do what we do best? Wet our pants in baseless fear and beg our government to strip us of our freedom.

OH NOES OSAMA IS WHISTLIN' INTO A PHONE AND LAUNCHING NOOKS FROM SATELLITES!:O SAVE ME, GOVERNMENT!

"Cyber" has had an interesting history [slideshare.net] - from military research in 1948 (Norbert Weiner coined "cybernetics" while working on anti-aircraft guns), to 1980s science fiction, to 1990s business buzzword, to military strategy [slashdot.org] in 2010. Which raises the question, can military planners only understand their own technology through the lens of science fiction?

Maybe we should all take our shoes off for inspection before we get online. Or make us wait in an unguarded corral area for half an hour before we can enter the secured area. Or randomly pull users aside for full system scans. Or force users to their own drink breast milk before logging in.

Anyone can fake the origin of a attack, so the basic rule about this is: never attack the attackers. If you do this, you can be used as a means to attack others!.. like your cpu power be used as part of a DDoS against a third party.

Seems to me these people still do not understand the threat. This is not warfare. It is vandalism, petty theft, corporate espionage and maybe some extortion. You cannot fight crime of this sort with a cold-war strategy. Several reasons:

It is hard to identify the enemy, and when you do it will often be single individuals and very small organizations

The enemy is not afraid of counterattacks, since it does not have a similar infrastructure

The enemy is often hiding behind stolen identities (for example hacked servers), so the risk of hitting the wrong target is very, very high

This conflict is hugely asymmetrical in that the attacker has very low costs and the counterattacker has very high cost

Different from the cold war, it is not two huge organizations against each other, but large organizations against a huge number of individuals

This strikes me as basically an over-aggressive, "bully"-type strategy by people that like to employ violence, but are not very bright. It is doomed to fail from the onset. The situation is a bit similar to the "war on terror", but more like a "war on (petty) Internet crime". Fighting crime with military means has never worked and will never work. The way to fight crime is by I) better securing your property (but especially the government and military seems to be hugely incompetent in that area) and II) standard police work. The added complication is that this is an international problem, something the US is notoriously bad at tackling, since they do not understand the rest of the world at all. But bombing shoplifters is not something that is going to work, ever, and even not very bright people should be able to understand that.

As I wrote on that page: "There is a fundamental mismatch between 21st century reality and 20th century security thinking. Those "security" agencies are using those tools of abundance, cooperation, and sharing mainly from a mindset of scarcity, competition, and secrecy. Given the power of 21st century technology as an amplifier (including as weapons of mass destruction), a sc

Just like vandalism, one way to deter it is to make it easier to reverse the damage, than to cause it in the first place. These are computers we are talking about here. If the problem is software based, filter the attacker, use versioned filesystems and revert the changes.

That was the solution to the balance of power pre-WW1 if anyone remembers a bit of history. We all saw how that ended up.

Meh, basing the entire future of the internet on "Go on, do it, I dare you" will not end well for anyone. I can already see an RIAA/MPAA sponsored 'attack' taking down most of the internet (and them meddlin` filesharers!) for a few weeks.

I like how you ignore the 60+ years after WWII.
MAD absolutely does work. There have been dozens of near world-ending situations where fingers were literally on the actual buttons to send nuclear weapons at other countries.

It doesn't matter what got us into those situations (political turmoil, technical glitches), it was MAD that prevented us from pushing the button.

The newest terrorist tactic will be to simply compromise one system at a sensitive US installation and use it to attack DHS. It saves a step. Before this, you'd not only have to get access to the device, but you'd also have to know how to break it. Now step 2 is automated. You can also escalate the attack. If you have only unpriveledged access, but can send outgoing packets, you can now take it out.

While I'm sympathetic to Chertoff's views, the problem remains that the tools he suggests are both too blunt for the purpose and may actually reveal important, low risk information for the adversary. As the title suggests, the US has a many decades history, since the Second World War, of using progressively more selected and targeted means of killing people. There are two reasons for this. A more focused weapon inflicts more damage on the intended recipients and less damage on third parties. However, to be used effectively, you need to have intelligence on your foes and sufficient control of the weapon so that it hits what you want it to hit.

For example, in the absence of any intelligence, other than that "bad guy" insurgents are hiding in a certain city, then a nuclear bomb would be more effective than a smart bomb for causing harm to the enemy. The drawbacks of such a brutal and lazy strategy are pretty obvious, from huge loss of innocent life to the possibility that most of the bad guys survive the nuclear attack (maybe they're in a bunker or spread out so that a nuclear burst takes out only a few at a time). A smart bomb would be useless, a bad guy is more likely to die from traffic accidents.

OTOH, intelligence on where exactly the "bad guys" are leads to the smart bomb being much more effective. A smart bomb delivered right to the basement is more effective than a nuclear bomb blindly lofted a dozen miles away.

That sums up what I see as the first problem with Chertoff's proposals. Since the force is not focused nor based on decent intelligence, it doesn't harm the foe and harms innocents instead.

Second, unfocused harm has the tendency to warn the enemy that you know something before you get a chance to significant damage to them. A worst case here would be a rigid retaliation procedure that a foe could use to map out the sensitivity of your defenses and deliberately trigger unpopular retaliation attacks on innocent targets.

As it stands, there apparently is a large scale, systematic looting of US (and developed world) knowledge by unknown parties (often thought to be the Chinese government or Russian underworld). There should be a price paid for trying to steal millions or billions of dollars of information. I think that Chertoff's suggested approach is a losing strategy that doesn't help the US mitigate the loss from such activities.

Nuclear deterrence actually makes sense in the world of war where there is no physical possibility of being 100% certain to prevent an enemy from entering a state armed to the teeth, or sending in a nuke of their own. However, the internet has very few clear access points for any given institution. You're air-traffic control tower is suffering a cyber attack? Pull the plug on the router. The air-traffic control tower is suffering repeated cyber attacks? Time to fire your IT staff because they are idiots who

The person in the TFA goes on some random blabbering about "attacks on infrastructure" and "thousands at risk", proposes "cold-war, nuclear deterrence"-like strategy, then contradicts itself by saying "then... incapacitating the platform used to attack is something that you have to do", then goes again to talk about "overwhelming force" and what not.

There's no logic in that, and, if anything, it is the opposite of MAD, the dominating war strategy of the Cold war.

Maybe he said "nuclear due process" and the interviewer mistakenly wrote down "nuclear deterrence." He'd certainly never advocate destroying a US Citizen's computer without any due process! That would be just wrong! Chertoff's a former Assistant U.S. Attorney! I'm sure he respects the Constitution and would never advocate something so awful.

Destroying the countries where attacks originate is a broken doctrine, IMO. Use of force should always be measured, and focused, lest history revile us. The ease of false flag operations in "cyberspace" make the nature of our responses to attacks even more important. I would dismiss Chertoff out of hand were it not for the possibility that, rather than harmless BS, talk like this may encourage a doctrine that will allow our government to start wars and engage in various intrigues, to evil ends. Chertoff co-

I second that. Chertoff was the idiot that claimed in the days afterward that the devastation Katrina caused to New Orleans was unexpected. Which is a load of crap given that people had been warning for decades that a major hurricane rolling over New Orleans would indeed be a complete disaster, the preparations for the possibility were inadequate, and there were several close calls that made it obvious (e.g., hurricane Ivan in 2004). What kind of head of the "Department of Homeland Security" wouldn't kno

In his first ever public speech a few days ago, the head of GCHQ, Britain's equivalent of the NSA, explicity stated [infowar-monitor.net] that nuclear deterrence was not a suitable model for cyber defence "because small-scale but significant cyber attacks happen every day".

It's unusual to see open disagreement between such statements, which are usually carefully orchestrated; I wonder whether it reflects an underlying conflict between DHS and the new Cyber Command, with GCHQ siding with Cyber Command?

Chertoff was behind the preposterous program on CNN where a collection of lawyers sat around trying to play techies on TV. Most of them were probably technology challenged, and they focused on legal nonsense to deal with a weird technical scenario (a malicious cell phone app goes wild and shuts down the power grid).

His crazy ideas led to the proposal to shut down the Internet in the event of national emergency.

When he was in office he was behind a stunt where a cybersecurity attack was assumed and a piece of equipment was misused and rigged to tear itself apart -- on TV -- by doing something that has been known for decades to be a no-no.

The only value of Chertoff's nonsense is publicity for the issue. Everything beyond that is idiocy.

Cybersecurity is clearly a serious concern and work needs to be done to improve it for critical infrastructure. But off-the-wall ideas coming from Chertoff are not the way to move forward. Instead, we should have people who know what they are doing lead the effort.